高通10.0调用RecoverySystem.verifyPackage系统api进行ota包校验提示：java.security.SignatureException: package compat

在高通10.0的平台下使用系统api RecoverySystem.verifyPackage（）对ota升级包进行校验，结果在校验失败，并提示java.security.SignatureException: package compat，刚开始时还以为是做处理的升级包有问题，毕竟使用的是系统提供的api接口，应该不存在校验失败的问题，但偏就出现了

出现问题的log如下：

07-07 21:42:35.539  2568  2568 W Thread-3: type=1400 audit(0.0:529): avc: denied { read } for name="config.gz" dev="proc" ino=4026532114 scontext=u:r:system_app:s0 tcontext=u:object_r:config_gz:s0 tclass=file permissive=0
07-07 21:42:35.539  2568  2568 W Thread-3: type=1400 audit(0.0:530): avc: denied { read } for name="policyvers" dev="selinuxfs" ino=10 scontext=u:r:system_app:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=0
07-07 21:42:35.557  2568  4362 E libvintf: Could not open /proc/config.gz: 13
07-07 21:42:35.557  2568  4362 W libvintf: Cannot fetch or parse /proc/config.gz: Permission denied
07-07 21:42:35.558  2568  4362 W libvintf: Cannot fetch or parse kernel sepolicy version: Operation not permitted
07-07 21:42:35.566  2568  4362 W VintfObject: VintfObject.verify() returns 1: Runtime info and framework compatibility matrix are incompatible: kernelSepolicyVersion = 0 but required >= 30
07-07 21:42:35.567  2568  4362 E SysUpdate/BaseActivity: verifyPackage  java.security.SignatureException: package compatibility verification failed

从上面的log看，如果只是看RecoverySystem.verifyPackage（）中的代码是看不出问题的，具体出现问题的是log中的两个“avc: denied”的log上，这个是缺少selinux权限导致的，所以，有时候也不能太相信系统提供的api接口，具体还是要看log分析

 

具体的修改可参考如下：

--- a/LA.UM.8.6.2/LINUX/android/system/sepolicy/prebuilts/api/29.0/private/system_app.te
+++ b/LA.UM.8.6.2/LINUX/android/system/sepolicy/prebuilts/api/29.0/private/system_app.te
@@ -151,3 +151,7 @@ allow system_app system_server:udp_socket {
 
 # app domains which access /dev/fuse should not run as system_app
 neverallow system_app fuse_device:chr_file *;
+
+# for verify package compatibility
+allow system_app config_gz:file { read open };
+allow system_app selinuxfs:file { read open };
diff --git a/LA.UM.8.6.2/LINUX/android/system/sepolicy/private/system_app.te b/LA.UM.8.6.2/LINUX/android/system/sepolicy/private/system_app.te
index 687bbee..703eb3f 100644
--- a/LA.UM.8.6.2/LINUX/android/system/sepolicy/private/system_app.te
+++ b/LA.UM.8.6.2/LINUX/android/system/sepolicy/private/system_app.te
@@ -151,3 +151,7 @@ allow system_app system_server:udp_socket {
 
 # app domains which access /dev/fuse should not run as system_app
 neverallow system_app fuse_device:chr_file *;
+
+# for verify package compatibility
+allow system_app config_gz:file { read open };
+allow system_app selinuxfs:file { read open };